Skip to main content

Critical USB flaw means PC users ‘can never trust anything anymore’

USB devices are harbouring a security defect that could mean that computer users the world over can “never trust anything anymore” when plugging in an “innocent” memory stick.

Related: USB drives used to rob cash machines

Security experts speaking at the annual Black Hat conference in Las Vegas explained that a flaw within USB devices means they can be used to exploit PCs even though they may appear to be completely blank.

"It may not be the end of the world today," Karsten Nohl told journalists, according to the BBC, "but it will affect us, a little bit, every day, for the next 10 years. Basically, you can never trust anything anymore after plugging in a USB stick."

The flaw affects a small chip inside a USB device that “tells” the computer what the device is and this can be changed in order to trick the PC into thinking the device is anything from a smartphone or tablet to a keyboard or other input peripheral.

One demo shown off by Nohl and his fellow expert Jakob Lell demonstrated that a normal USB drive being inserted into a computer can use malicious code planted on the stick to trick the computer into thinking a keyboard has been plugged in. After a few moments the “keyboard” was able to type in commands and tell the PC to download a malicious program from the Internet.

The BBC was shown another instance when a Samsung smartphone was plugged into a PC and once connected it masqueraded as a network card that meant when a user accessed the Internet their browsing was hijacked. In this case, an illicit version of PayPal was created and the login details stolen.

Even when a USB device has been formatted it can still harbour the malware and both Nohl and other security researchers are urging extreme caution when plugging any USB devices into a machine.

"USB is ubiquitous across all devices," Mike McLaughlin, security researcher at First Base Technologies, stated. "It comes down to the same old saying - don't plug things in that you don't trust. Any business should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed."

Related: CryptoLocker ransomware evolves into USB worm

Nohl added that the approach to USB among every computer user “will have to change” and device manufacturers will be scrabbling to patch up this flaw before it causes more problems.